Recently services.exe started exhibiting behavior whereby every 15 minutes or so it will ramp up over the course of 1-2 minutes to use all available memory on the system (in my case all 8GB of memory). It will stay there for a couple of minutes and then ramp down to normal again.

The process itself goes from using ~40MB of memory to ~5GB+ memory and then back to ~40MB..

I've gotten a dump of the process while it was ramping up by using procdump and the 3GB file contained repeating data--it looked like pointers to function calls or return addresses when I looked at it with windbg.

I also took a look with procmon but the data wasn't very enlightening--there wasn't much to look at and what was there looked normal.

What I'm looking for are pointers on how to better look at memory usage by an application so that I can attempt to figure out what is causing this behavior.

1 Answer
1

Ok. If this happens approximately every 15 minutes you can wait to it happen and act fast. Is not necessary to dump the process.

Services.exe is the proccess who launche the services.
The services dont run by themself, they are hosted by the processes svchost.exe.

So to know why is it happening, why your machine is cosumming that RAM you need to know which service is causing that.

For accomplish that you can use the Microsoft Sysinternals tool called Process Explorer.
Whit this tool you can order the process by memory and more interesting if you clic on a svchost.exe process you will be able to see which services is it running.
In Process Explorer you can see the process by tree of parents and child, so you can see which child process of which svchost is causing the issue.

With Procesx Explorer you can also see what threads have been loaded within the process (Yoy have to load the Symbols in order you can see their real names, just go to Options menu, Configure symbols), if you see any strange Thread you will be able to see its threads and see which thread is probably causing the hang.

And to finished, if this happen to quickly for you with Process Explorer you can do a right clic on a process and select suspend. This will pause the execution until you manually resume it, and you will have time to analyze the things.